Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 6 Jun 2012 13:50:18 -0500
From:      Dan Nelson <dnelson@allantgroup.com>
To:        Michael Sierchio <kudzu@tenebras.com>
Cc:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>, Simon <simon@optinet.com>
Subject:   Re: Proper Port Forwarding
Message-ID:  <20120606185018.GA67937@dan.emsphone.com>
In-Reply-To: <CAHu1Y71_JwPSv13WQJXmkBX=bjCzhuW7%2BSPxwuz_1=o9qckpsw@mail.gmail.com>
References:  <20120606183127.68447106566B@hub.freebsd.org> <CAHu1Y71_JwPSv13WQJXmkBX=bjCzhuW7%2BSPxwuz_1=o9qckpsw@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Jun 06), Michael Sierchio said:
> On Wed, Jun 6, 2012 at 11:31 AM, Simon <simon@optinet.com> wrote:
> 
> > This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW
> > stops forwarding using the rule above because of "too many dynamic
> > rules"
> 
> Change the defaults for the fw.dyn sysctl MIB nodes
> 
> to something like
> 
> net.inet.ip.fw.dyn_short_lifetime=3
> net.inet.ip.fw.dyn_udp_lifetime=3
> net.inet.ip.fw.dyn_rst_lifetime=1
> net.inet.ip.fw.dyn_fin_lifetime=1
> net.inet.ip.fw.dyn_syn_lifetime=10

Or raise net.inet.ip.fw.dyn_max to a larger number.  The default 4096 may be
too small.

-- 
	Dan Nelson
	dnelson@allantgroup.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120606185018.GA67937>